# CrowdStrike Running Job Guide
This guide shows a **job** that checks whether the CrowdStrike Falcon sensor service (**CSFalconService**) is running and, if not, starts it. The job is deployed to endpoints using a **JobUpdate** policy. Same pattern as the [Windows Defender Running Job Guide](https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/reference/windows-defender-running-job-guide).
**Audience:** IT admins deploying Keeper Privilege Manager on Windows with CrowdStrike Falcon sensor.
***
### What the Job Does
* **Checks** the status of the **CSFalconService** service (CrowdStrike Falcon Sensor).
* **If the service is stopped,** starts it with `Start-Service -Name CSFalconService`.
* **If the service is already running,** does nothing and exits successfully.
* **Runs** on a **schedule** (default: every 60 minutes) and on **Startup**, so the Falcon sensor is periodically verified and restored if it was stopped.
The job uses a single PowerShell task in the **Service** context. The agent typically runs as LOCAL SYSTEM, which can start the CrowdStrike service.
### Prerequisites
* Keeper Privilege Manager agent installed and running on **Windows**.
* **CrowdStrike Falcon sensor** installed (so the CSFalconService exists).
* PowerShell at `C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe`.
* Ability to create **JobUpdate** policies and run **Process Configuration Policies** (e.g. from Keeper Admin Console).
## Job Definition (full JSON)
Use this job JSON in a JobUpdate policy (**Extension.JobJson**) or save as `Jobs/ensure-crowdstrike-running.json` for file-based deployment.
```
{
"id": "ensure-crowdstrike-running",
"name": "Ensure CrowdStrike Falcon is running",
"description": "Checks if the CrowdStrike Falcon sensor service (CSFalconService) is running; if not, starts it. Deploy via JobUpdate policy. Runs on schedule (default every 60 min) and on Startup.",
"enabled": true,
"asUser": false,
"priority": 5,
"schedule": {
"intervalMinutes": 60
},
"events": [
{ "eventType": "Startup" }
],
"parameters": [],
"tasks": [
{
"id": "check-and-start-crowdstrike",
"name": "Check CrowdStrike Falcon service and start if stopped",
"ExecutionType": "Service",
"command": "powershell.exe",
"executablePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"arguments": "-NoProfile -ExecutionPolicy Bypass -Command \"& { $s = Get-Service -Name CSFalconService -ErrorAction SilentlyContinue; if (-not $s) { exit 1 }; if ($s.Status -ne 'Running') { Start-Service -Name CSFalconService -ErrorAction Stop }; exit 0 }\"",
"expectedExitCode": 0,
"timeoutSeconds": 30,
"continueOnFailure": false
}
],
"mqttTopics": { "allowedPublications": ["KeeperLogger"], "allowedSubscriptions": [] },
"osFilter": { "windows": true, "linux": false, "macOS": false }
}
```
### Deploy the Job via JobUpdate Policy
1. **Create a JobUpdate policy** in your policy store or Keeper Admin Console with:
* **PolicyType:** `JobUpdate`
* **Status:** `enabled`
* **Extension:**
* **JobId:** `ensure-crowdstrike-running`
* **Action:** `Add`
* **JobJson:** The full job object above (single line or formatted).
2. **Example policy structure:**
```
{
"PolicyId": "deploy-ensure-crowdstrike-running",
"PolicyName": "Deploy job: Ensure CrowdStrike Falcon is running",
"PolicyType": "JobUpdate",
"Status": "enabled",
"Extension": {
"JobId": "ensure-crowdstrike-running",
"Action": "Add",
"JobJson": {
"id": "ensure-crowdstrike-running",
"name": "Ensure CrowdStrike Falcon is running",
"description": "Checks if the CrowdStrike Falcon sensor service (CSFalconService) is running; if not, starts it.",
"enabled": true,
"asUser": false,
"priority": 5,
"schedule": { "intervalMinutes": 60 },
"events": [{ "eventType": "Startup" }],
"parameters": [],
"tasks": [
{
"id": "check-and-start-crowdstrike",
"name": "Check CrowdStrike Falcon service and start if stopped",
"ExecutionType": "Service",
"command": "powershell.exe",
"executablePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"arguments": "-NoProfile -ExecutionPolicy Bypass -Command \"& { $s = Get-Service -Name CSFalconService -ErrorAction SilentlyContinue; if (-not $s) { exit 1 }; if ($s.Status -ne 'Running') { Start-Service -Name CSFalconService -ErrorAction Stop }; exit 0 }\"",
"expectedExitCode": 0,
"timeoutSeconds": 30,
"continueOnFailure": false
}
],
"mqttTopics": { "allowedPublications": ["KeeperLogger"], "allowedSubscriptions": [] },
"osFilter": { "windows": true, "linux": false, "macOS": false }
}
}
}
```
3. **Assign the policy** to the desired Windows collections or machines (where Falcon sensor is installed).
4. **Run Process Configuration Policies** on the agents so they receive the job:
* Rely on the normal schedule (e.g. after policy sync), or
* Trigger manually: `POST https://127.0.0.1:6889/api/Jobs/process-configuration-policies/run` (Admin auth).
5. **Confirm the job is present:**\
`GET https://127.0.0.1:6889/api/Jobs` — you should see `ensure-crowdstrike-running`.
***
### When the Job Runs
* **Startup** — Runs once when the agent (or machine) starts.
* **Every 60 minutes** — Per `schedule.intervalMinutes`. Change `intervalMinutes` in the job JSON if you want a different interval.
No manual trigger is required unless you want to run it once on demand (e.g. `POST .../api/Jobs/ensure-crowdstrike-running/run`).
### Verification
* **Service status (PowerShell):**
```
Get-Service -Name CSFalconService
```
Status should be **Running** after the job has run (or after starting it manually for testing).
* **Agent logs:** Check for task `check-and-start-crowdstrike` and any PowerShell or service errors.
* **Run job once (optional):**
```
Invoke-RestMethod -Method Post -Uri "https://127.0.0.1:6889/api/Jobs/ensure-crowdstrike-running/run" -SkipCertificateCheck
```
### Troubleshooting
| Issue | What to check |
| ------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Job not on endpoint | JobUpdate policy assigned; Process Configuration Policies has run; `GET /api/Jobs` shows the job. |
| Exit code 1 | CSFalconService may not exist (Falcon sensor not installed or different product); check `Get-Service CSFalconService` on the machine. |
| Access denied starting service | Agent must run as an account that can start services (e.g. LOCAL SYSTEM). |
| Start-Service fails (e.g. "Disabled" state) | The service must be set to **Automatic** or **Manual**; if it is **Disabled**, Start-Service will fail. Use `Set-Service -Name CSFalconService -StartupType Automatic` (in an elevated prompt) or services.msc. |
| Different interval | Edit **JobJson** in the policy: change `schedule.intervalMinutes` (e.g. 30), then run Process Configuration Policies again (or use JobUpdate Action **Update** with the full revised job). |
### Reference
* **Job id:** `ensure-crowdstrike-running`
* **Job file (if not using policy):** `Jobs/ensure-crowdstrike-running.json`
* **Service name:** `CSFalconService` (CrowdStrike Falcon Sensor)
* **Platform:** Windows only.
For the same pattern applied to Windows Defender, see [Windows Defender Running Job Guide](https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/reference/windows-defender-running-job-guide). For general job and policy details, see the Getting Started docs (Jobs definition and format, Create/Modify/Delete job).
